From psirt@cisco.com Sun Aug 3 16:30:25 2003
From: Cisco Systems Product Security Incident Response Team
To: cust-security-announce@cisco.com
Cc: psirt@cisco.com
Date: Mon, 28 Jul 2003 09:00:00 -0700 (UTC)
Subject: Cisco Security Advisory: HTTP GET Vulnerability in AP1x00
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: HTTP GET Vulnerability in AP1x00
Revision 1.0
For Public Release 2003 July 28 16:00 UTC (GMT)
----------------------------------------------------------------------
Contents
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
----------------------------------------------------------------------
Summary
A vulnerability has been reported by an external researcher in Cisco
IOS(R) release for Cisco Aironet AP1x00 Series Wireless devices. The
vulnerability affects only IOS-based Cisco Aironet Wireless products. The
VxWorks based Cisco Aironet Wireless Devices are not affected. This
vulnerability can cause the AP1x00 to reload and is documented as Cisco
bug ID CSCeb49869 (registered customers only) (also CAN-2003-0511). There
are workarounds available to mitigate the effects of this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20030728-ap1x00.shtml.
The external report can be found at
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
leavingcisco.com. Although it mentions two issues only one is addressed by
this advisory. The other issue, Cisco bug ID CSCdz29724 (registered
customers only) (also CAN-2003-512), is present in all IOS software and is
duplicated by the AP1x00 specific Cisco bug ID CSCeb49842 (registered
customers only) . More details about it can be found at
http://www.cisco.com/warp/public/707/cisco-sn-20030724-ios-enum.shtml.
Affected Products
Only the following Cisco IOS-based wireless Access Points are affected:
+------------------------------------------+
| Hardware Model | Software Release(s) |
|--------------------+---------------------|
|Cisco Aironet |12.2(4)JA, |
|Wireless Access |12.2(4)JA1, |
|Point AP1100 series |12.2(8)JA, 12.2(11)JA|
|--------------------+---------------------|
|Cisco Aironet | |
|Wireless Access |12.2(8)JA, 12.2(11)JA|
|Point AP1200 series | |
|--------------------+---------------------|
|Cisco Aironet | |
|Wireless Bridge |12.2(11)JA |
|AP1400 series | |
+------------------------------------------+
All previous VxWorks-based software releases for Cisco Aironet Access
Point 1200 are not affected. That includes the following, and earlier,
software releases: 11.56, 12.01T1, 12.02T1, 12.03T.
In order to determine your software release you should log on the Access
Point using any account available and execute the following command:
access-point> show ver
Cisco Internetwork Operating System Software
IOS (tm) C1100 Software (C1100-K9W7-M), Version 12.2(8)JA, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1) ^^^^^^^^^
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
The Cisco IOS software version is displayed in the second line of the
output. In this example it is 12.2(8)JA.
Details
Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device
to reload.
Impact
Repeated exploitation of this vulnerability can lead to a prolonged
Denial-of-Service (DoS) of the AP1x00.
Software Versions and Fixes
The vulnerability is fixed in the 12.2(11)JA1 version of the software for
all Cisco Aironet AP1x00 devices.
Obtaining Fixed Software
Cisco is offering free software upgrades to address these vulnerabilities
for all affected customers. Customers may only install and expect support
for the feature sets they have purchased. By installing, downloading,
accessing or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set
forth at the Cisco Connection Online Software Center at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Customers with service contracts should contact their regular update
channels to obtain the free software upgrade identified via this advisory.
For most customers with service contracts, this means that upgrades should
be obtained through the Software Center on Cisco's worldwide website at
http://www.cisco.com/tacpage/sw-center/sw-wireless.shtml. To access the
software download URL, you must be a registered user and you must be
logged in.
Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
There are two workarounds for this vulnerability. One is to use
access-class or access-list commands to limit the access to legitimate
hosts only, and another workaround is to disable HTTP and use SSH to
administer the Cisco Aironet Access Point.
The example of using access-class is given here:
ap(config)# ip http access-class 10
ap(config)# access-list 10 permit host 10.0.0.1
In this example, host 10.0.0.1 is the only one that is allowed to access
the AP. All other hosts are prohibited.
To disable HTTP and enable SSH use this example:
ap(config)# no ip http server
ap(config)# ip domain name
ap(config)# crypto key generate rsa
The name for the keys will be: ap.your-domain
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
ap(config)# line vty 0 4
ap(config-line)# transport input ssh
Now you can connect to the Cisco Aironet AP using SSH client from your
computer. There are many free and commercial versions of SSH software
available.
In addition to the workarounds it is possible to mitigate the exposure by
configuring ACLs on the device so that only legitimate hosts can use the
http service. This can be done in the following way:
access-list 111 permit tcp host 10.0.0.1 host 10.0.0.50 eq www
In this example the host 10.0.0.1 is the only one that is allowed to
access the device at 10.0.0.50. You will have to change host IP addresses
and the ACL number to suit your configuration. This ACL will have to be
applied to all interfaces and block all IP addresses assigned to the
affected device.
Exploitation and Public Announcements
This vulnerability is reported by Reda Zitouni from Vigilante. Their
report can be found at
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm
leavingcisco.com.
The Cisco PSIRT is not aware of malicious use of the vulnerability
described in this advisory.
Status of This Notice: FINAL
This is a final advisory. Although Cisco cannot guarantee the accuracy of
all statements in this advisory, all of the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Cisco will update this
advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain factual
errors.
Distribution
This notice will be posted on Cisco's worldwide website at .
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* full-disclosure@lists.netsys.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged to
check the above URL for any updates.
Revision History
+------------------------------------------+
|Revision|2003-July-28 16:00 UTC |Initial |
|1.0 |(GMT) |public |
| | |release.|
+------------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's worldwide
website at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
----------------------------------------------------------------------
This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, and
include all date and version information.
----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT
iD4DBQE/JUmbezGozzK2tZARArXRAKCIRsac6s3i7oRAEf4/2khQBKdEcgCXTsum
aQeEFDQLBhqS5wu0CarFkg==
=ehoq
-----END PGP SIGNATURE-----